September 18, 2009

Battling a virus

Today I write about battling a computer virus. Man, it was painful. And I haven’t won yet. I don’t think I will.

I had a drive-by-download infection. I don’t even know the site — here’s the scenario.

I was using OfficeLive at the time, reading some email. I walked away to go to the restroom, and while there, I heard a “Thunk” sound from the computer — one of those red system error messages on screen, saying that my computer is virus infected. Except it was fake — It tried to look like a Windows error message, and I know what real detection messages look like.

But it was too late — the message came from a local program — the computer was already infected with a fake antivirus program. I don’t know the infection vector, but then came my clean-up experience.

I have OneCare — which couldn’t keep up with the virus or detect all the components. I even got to a “clean” state from OC– but isn’t — a different part of the story… Anyway, I immediately fired up onecare and tried to clean the system when I saw that pop-up. Lots of disk trashing, and a terrible error message. OneCare detected two threats, but reported being able to clean only one. The virus had a rootkit, and OC couldn’t remove it. Not a very helpful error message — basically the message said, We detected two threats, but could only clean 1. Sorry.

Now this virus was well rooted, and written to exploit group policy. Let’s talk about the things it did:

1. It set the DisableTaskManager policy. Why is group policy honored in XP Home outside a domain? For Pete’s sake, this is a bug. Disabling TaskManager is a bad design. The policy should disable launching programs through Task Manager, but not Task manager itself — you can’t kill the threat components without it…

2. It would kill any cmd, regedit, or taskmgr launch instantly, with a fake, “This file has been infected” message. ( The grammar on these messages were wrong. Obviously, English is not the native language of the writer. )

There was no way I could beat the Virus and rootkit as long as the PC was booted into this OS, so I decided to try booting to a CD. Except I didn’t know where my CD’s where — probably high on a shelf in the Garage, but that’s another story. What I really wanted was an offline system cleaner. Something like the Microsoft Stand-alone System sweeper. Except you can’t get it. No-one even knows what it is — but I do. But couldn’t find a legit download site. I found torrents and warez versions — but not the official, direct from MS version. It’s supposed to be free… Free is pointless if it can’t be found. I could find PDF docs for it — but no binaries.. And I don’t have a volume license, so I can’t get DaRT.

Luckily, I know where an unopened Vista DVD set is — I had bought Vista for this PC, but hated it so much on other PCs, that I never installed it. So, I got my Vista DVDs, booted to recovery console. Went into the %windir% on down, and began looking for any file with a creation time of “Today”. Most viruses target %windir% or %programfiles%, so I hunted in there. I was able to find and remove many components of the Virus. Enough to kill the rootkit and fake AV programs. I then rebooted the machine — got a single ASEP error — Windows couldn’t launch the Virus executable ( because I had deleted it ), and I removed the ASEP for the executable after the boot. Started up OC with my machine off the network ( I disabled WiFi on the box… ), and did a quick scan. My sigs were up to date as of 7:00 PM that night, and I got the Virus at 9:50 PM, so I have all definition files… OC “cleaned” the machine of all threats ( really, it didn’t — I did that manually… ), and I then did a reboot and full scan.

OC Full scan said the machine was clean, no threats detected. Machine looked and acted normally. The machine is fully patched, and always is up to date. I have a hardware firewall at the router, and I have OC firewall turned on. Should be good, right?

So I turn networking back on. Bang! OC detects the Vendo worm. I say “clean” — but I end up in boot cycle hell. OC detects the worm, cleans it, restarts, re-detects the worm on reboot. Ad infinitum. I can’t get the machine clean. I either missed an ASEP someplace, or a system component is modified — and I don’t know which one — or there’s an unknown exploit…